Skip to main content
The Keldyn MCP server lets AI assistants like Claude and Cursor call the Keldyn API on your behalf — securely querying frameworks and controls, tracking implementation and evidence, and managing GRC entities and tasks through the Model Context Protocol. Every request runs as you, scoped to a team you select at sign-in. This guide explains how to connect the Keldyn MCP server to your AI tool of choice.
The Keldyn MCP server is served over Streamable HTTP and authenticates with OAuth 2.1. There is no API key or static token — signing in through your browser is the only way to connect.

Find your MCP URL

The Keldyn MCP server answers every request at the root path (/):
https://mcp.keldyn.ai/
Keep the trailing slash on the URL, and use the exact host your client connects to. The URL is the OAuth resource identifier, so it must match byte-for-byte.

Prerequisites

Before connecting, confirm the following:
  • Keldyn account — You sign in with your normal Keldyn credentials in the browser during the OAuth flow.
  • Team membership — You must belong to at least one team. You’ll pick a team during sign-in, and every request is scoped to it.
  • Team admin (for some tools) — Listing integration-collected control evidence (list-control-evidence) requires a team-admin token.
  • Supported AI tool — Any client that supports remote MCP servers with OAuth, including Claude Code, Cursor, VS Code, and Codex.

Claude Code

1

Add the MCP server

Run the following command in your terminal:
claude mcp add --transport http keldyn https://mcp.keldyn.ai/
2

Authenticate

In Claude Code, run /mcp and select keldyn. A webpage will open in your browser — sign in, choose the team you want to act as, and click Allow.
3

Start using Keldyn MCP

Once authorized, you’re ready to start querying and updating your Keldyn data from Claude Code.

Add to Cursor

1

Open Cursor settings

Open Settings in Cursor.
2

Add a custom MCP server

Select Tools & MCP → Add custom MCP.
3

Add the Keldyn configuration

Paste the following configuration:
{
  "mcpServers": {
    "keldyn": {
      "url": "https://mcp.keldyn.ai/"
    }
  }
}
4

Authenticate

Cursor opens the Keldyn consent page in your browser. Sign in, choose a team, and approve. Cursor completes the OAuth handshake automatically.

Other MCP-compatible clients

Keldyn MCP is a standard remote MCP server over Streamable HTTP. Any tool that can connect to a remote MCP endpoint with OAuth — including VS Code (via an MCP-capable extension), Codex, and other emerging MCP clients — can connect to Keldyn. The setup steps above (Claude Code, Cursor) are the officially tested paths. Other clients aren’t formally validated, but typically work with the same two pieces of configuration:
  • Server URLhttps://mcp.keldyn.ai/. See Find your MCP URL.
  • Authentication — OAuth. Sign in as a Keldyn user and pick a team when the browser flow opens.
Consult your client’s documentation for where to register a remote MCP server. Dynamic Client Registration and the full OAuth handshake are automatic — your client discovers everything it needs from the server’s /.well-known/oauth-protected-resource metadata and opens the consent page for you.

How authentication works

Keldyn MCP is an OAuth 2.1 Resource Server, so you never paste a token or key. When your client first connects, it walks the standard discovery-and-consent flow for you:
1

Discovery

Your client makes an unauthenticated request, receives a 401 with a WWW-Authenticate challenge, and reads the server’s Protected Resource Metadata to discover Keldyn’s Authorization Server.
2

Registration & consent

Your client registers itself (Dynamic Client Registration) and opens the Keldyn consent page (PKCE, S256). You sign in, select a team, and approve.
3

Token exchange

Your client exchanges the authorization code for a short-lived access token (about 1 hour) plus a refresh token, and calls the MCP endpoint with Authorization: Bearer <token>.
Access tokens are scoped to the team you selected, so tools act as the signed-in user on that team. When a token expires, your client silently refreshes it and retries. To revoke access, sign out or revoke the connection from your Keldyn account.

What your AI agents can do with Keldyn MCP

Once connected, your AI assistant can work across your GRC program. Tools call the Keldyn API on your behalf; org context is resolved automatically from the team you signed in with.

Frameworks & use cases

  • list-frameworks — Browse compliance/security frameworks (scope to a use case, the org, or all frameworks).
  • list-use-cases — List use cases for your team, with pagination and filters (search, status, risk level, business area, owner).
  • get-use-case — Fetch a single use case, including its frameworks and details.
  • update-use-case-architecture — Create or update a use case’s Threagile architecture model.

Controls, tracking & evidence

  • list-controls — List RCM controls across use-case and org scopes, each with implementation status and a human-readable status label.
  • get-control — Fetch a single control by rcmId with all API fields plus its tracking entry (status, evidence text, assignee, finding, timestamps).
  • update-control — Update a control’s implementation tracking (todo, in_progress, complete, ignored) and optionally set evidence text, assignee, or a finding.
  • list-control-links — List audits, measures, obligations, or documents linked to a control.
  • list-control-evidence — List integration-collected (automated) control evidence with freshness/status. (Requires a team-admin token.)
  • list-evidences / get-evidence — Browse and fetch manual measure evidence (files and links).

Audits

  • list-audits / get-audit — List audits for the organization and fetch a single audit.
  • list-audit-controls — List the controls in scope for an audit.

GRC entities

  • list-entities / get-entity — Access risks, measures, obligations, findings, tasks, and data records.
  • list-entity-links — Traverse links between entities (e.g. risks → measures, obligations → controls).

Tasks

  • list-tasks / get-task — List and fetch organization tasks, filtered by measure, state, priority, or search.
  • create-task / update-task / delete-task — Full task CRUD; link a task to the control it addresses with rcmId.

Built-in workflows (prompts)

The Keldyn MCP server ships guided prompts that combine your controls with your local repository context, so your agent can act with the right compliance framing:
  • review-changes — Review your code changes against the org’s Keldyn controls.
  • review-codebase — Review the whole codebase (or a scoped path/package) against controls.
  • start-dev — Prime the agent with developer guidance from applicable controls.
  • generate-architecture — Infer a Threagile architecture from your codebase and save it to a use case.
  • collect-evidence — Scan your codebase for positive evidence that code-related controls are satisfied, then confirm before saving.

Resources

Model Context Protocol

Learn more about the open protocol that powers the Keldyn MCP server and other AI tool integrations.

MCP Inspector

Interactively test and debug an MCP server — list and call the Keldyn tools, prompts, and resources against a running instance.